Protection of Personal Information act has been signed into South African law in November 2013 and has been subsequently enforced. The proposed comprehensive information security law regulates the collection and storage of customer data by business organizations and mandates data protection measures to be taken up.
The main objective of the data protection directive has been to exercise everyone’s right to privacy as per the law, strike right balance with other mandates like right to information and control the free flow of the information.
The conditions and provisions for the lawful processing of the personal information by the business organizations have been encompassed into:
- Accountability: The necessary and requisite data protection controls are implemented by the data processing organization.
- Processing Limitation: The legitimate interests of the data subject are protected and the information is processed for legitimate purposes.
- Purpose specification: Personal information needs to be collected for specific, explicitly defined and lawful purpose. Data subject should be aware of the purpose.
- Further processing limitation: Further data processing purpose should be in line with purpose specification.
- Information Quality: Data processing organization to ensure that personal information is complete, accurate, updated and not misleading.
- Openness: The business organization to document the personal information related processes and enforce necessary data protection controls.
- Security Safeguards: Integrity and confidentiality of the personal information should be ensured through requisite technical and organizational controls. Notification of security compromises to the regulator authority has been mandated.
- Data subject participation: When required, data subject has right to enquire data processing organization, free of cost, about the personal information held by the organization. Data subject has right to ask for deletion of inaccurate, excessive, irrelevant and out of date data. This right is irrespective of adequate data protection measures by associated organization.
POPIA incorporates and is aligned to lot many provisions that have been made in European Union data protection directives. POPIA prohibits transfer of personal information outside South Africa. However exceptions can be obtained through appropriate legal bindings, contracts and data protection controls aligned to POPIA requirements. The act does not apply to the processing of personal information for journalistic, literary or artistic purposes.
POPIA hopes to bring in an appropriate change in public and private data processing organization to enact in a responsible manner for data security. The act proposes a maximum fine of Euros 650000 in case of data breach.
POPIA is another positive step towards data security and protection of personal information.
Authored by Suhas Rautmare